Cybersecurity experts have uncovered strategic overlaps between two advanced threat groups: the operators of the RomCom RAT and another entity linked to a malware loader known as TransferLoader.
According to enterprise security firm
Proofpoint, the TransferLoader activity is being tracked under the alias UNK_GreenSec, while RomCom RAT operations are attributed to the group TA829—also identified in cybersecurity circles as CIGAR, Storm-0978, Nebulous Mantis, and Void Rabisu, among other names.
Proofpoint's investigation into TA829 led to the discovery of UNK_GreenSec, with both groups displaying a high degree of similarity in infrastructure setup, email lure themes, delivery methods, and landing pages. “An unusual amount of similar infrastructure, delivery tactics, landing pages, and email lure themes,” the company reported.
TA829 stands out in the cyber threat ecosystem for conducting both intelligence-gathering missions and financially driven cyberattacks. Believed to be aligned with Russian interests, the group has exploited zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows to spread RomCom RAT to global victims.
Earlier this year, PRODAFT revealed that the threat actors behind RomCom RAT used stealthy techniques such as bulletproof hosting, encrypted C2 communication, and living-off-the-land (LOTL) tactics to avoid detection.
TransferLoader, meanwhile, was first analyzed by Zscaler’s ThreatLabz following a February 2025 campaign in which it was deployed to distribute Morpheus ransomware to an unnamed American law firm.
Proofpoint also noted that both TA829 and UNK_GreenSec use REM Proxy services hosted on compromised MikroTik routers as part of their upstream communication channels. However, the method of compromising these routers remains unknown.
"REM Proxy devices are likely rented to users to relay traffic," said the Proofpoint threat research team. "In observed campaigns, both TA829 and UNK_GreenSec use the service to relay traffic to new accounts at freemail providers to then send to targets."
Further analysis suggests that both actors may rely on an automated email builder to rapidly generate sender accounts, as evidenced by similarly formatted addresses such as ximajazehox333@gmail.com and hannahsilva1978@ukr.net.
The phishing messages commonly carry a malicious link, embedded either directly in the email body or inside a PDF attachment. Victims clicking on these links are redirected through services like Rebrandly, ultimately landing on spoofed Google Drive or Microsoft OneDrive pages—carefully filtering out sandbox environments or uninteresting systems.
From here, the infection chain splits: victims redirected by UNK_GreenSec receive TransferLoader, while those targeted by TA829 are delivered a separate strain dubbed SlipScreen.
Both groups have reportedly used PuTTY’s PLINK utility to establish SSH tunnels and hosted payloads on IPFS (InterPlanetary File System) for further stages of their campaigns.
SlipScreen serves as a stealthy loader that decrypts and injects shellcode directly into system memory, but only proceeds if it detects at least 55 recently accessed documents in the Windows Registry—an apparent method to evade sandbox detection.
"We assess that 55 is an arbitrary number chosen by the actor," said Greg Lesnewich, senior threat researcher at Proofpoint. "Previous versions checked for 100 documents. It’s unclear why this threshold changed."
The loader then drops malware such as MeltingClaw (aka DAMASCENED PEACOCK) or RustyClaw, which can install backdoors like ShadyHammock or DustyHammock. ShadyHammock is often used to deploy SingleCamper (also known as SnipBot), an evolved version of RomCom RAT. DustyHammock, in addition to system reconnaissance, can retrieve payloads from IPFS-based storage.
TransferLoader-linked campaigns have been seen using job application-themed lures, tricking victims into clicking on a fake resume link that initiates the download of TransferLoader from an IPFS-hosted webshare.
Designed for stealth, TransferLoader enables the silent deployment of additional malicious tools including Metasploit and Morpheus ransomware, a rebranded variant of HellCat ransomware.
